Inherent Risks From Security to Resilience

Article by Rois Ni Thuama Phd, Head of Cyber Governance, Red Sift

Years before I studied law, I had trained as a climbing instructor. I cannot travel to Scotland and sit in the shadows of her mountain ranges to discuss resilience without acknowledging that as long as humans endeavoured to undertake anything worthwhile, it has always been a balancing act between making progress and protecting your people and your assets.

It is not the case that we simply do not undertake these challenges, of course we do. This is how 47 years ago in September 1975 a British team successfully scaled the South West face of Everest.

Chris Bonington’s team succeeded not because they were immune to the dangers. They’d had an unsuccessful attempt three years earlier. They succeeded because the leader and his team had carefully assessed a myriad of factors, including the conditions they were facing, the team he had assembled, what assets and skills those individuals brought to the team, the equipment & supplies they would need to give them a reasonable prospect of success.

The weather turned inclement, the team’s best ice-climber Tut Braithwaite laid the route for the the five that eventually summited. It was a win for the whole team.

Their ability to endure and withstand testing conditions wasn’t born of ignoring what they might face, adopting a devil-may-care attitude and throwing caution to the wind. Their success rested on being completely honest about what they might face. They knew the risks, they prepared, and then they struck off. Resilience is born in the preparation phase.

Inherent Risks

The starting point for any undertaking whether its climbing Ben Nevis, or operating in a digital landscape replete with bad actors poised to hold you to ransom or steal your commercially sensitive data, requires leaders that can fully appreciate the inherent risks associated with it. In order to lead, it requires optimism. But optimism is not blind faith, optimism is what is left after a realistic risk assessment.

Being prepared for the expected conditions, whilst also making plans to address and cope with changing circumstances should those conditions change or deteriorate, are material to withstanding and enduring shocks. This is resilience. We have been assessing risks and calculating our prospects for success since time immemorial. It should give us enormous confidence that none of this is new, we are simply applying what we have learned to a digital threat landscape which is becoming more dangerous for businesses of all sizes.

In order to prepare to meet the conditions, every mountain leader will keep an eye on credible sources to keep up to date with the latest weather report and mountain conditions. Every leader in business should be looking to credible, trusted, independent sources to cut through the noise.

Not only are independent sources like the National Cyber Security Centre (NCSC), National Institute of Standards in Technology (NIST) the best sources of information otherwise unavailable in the private sector, but relying on institutions offers a safe haven.

In the unlikely event that the guidance or information turns out to be imprecise, relying on credible sources offers a shield, a mechanism for defensibility in the face of litigation.

From Security to Resilience

In recent years the cybersecurity sector has seen a shift in the language, moving away from the concept of security to resilience. There is good reason for this and broadly the sector welcomes this move.

In the past we have all been guilty of over[1]simplifying our language to land a message to a broader audience. But this drive to simplify means that many non-technical stakeholders expect that a firm that has implemented sound cybersecurity measures will, in fact, be cyber secure. Of course, that is not the case. Because that omits the painful truth: Motivated actors can always find a way to breach even the most robust cyber security measures.

In the aftermath of an event, meaningful conversations are more challenging as non[1]technical stakeholders who have suffered losses struggle to understand how a business that had implemented sound security measures was simultaneously vulnerable to an attack and was not, as they believed, cyber secure.


Discussing the concept of resilience up front rather than security is a more transparent way to describe what it is that businesses do. Putting resilience front and foremost as the overarching business imperative puts all stakeholders on notice of what it is that the leadership values. In this way, leaders set out their vision for the firm, not one of excessive optimism relying on the notion of security. Instead it is a vision firmly rooted in reality and it acknowledges that conditions can change. It sets out the firm’s position, that it can withstand and endure the shocks because it is has considered them and it is prepared.

Value Preservation

Making progress or to put it in corporate terms value creation is one thing, but in today’s world defending and protecting those gains is a necessary part of any business’ resilience discussion.

If we consider the legal obligation on directors’ ‘to promote the success of the company’ then it is clear that value preservation becomes elevated to a corporate imperative. A company cannot succeed if it cannot endure conditions that it ought reasonably to have prepared for.

Concluding Remarks

The mountains are unforgiving of those who are ill-prepared and rely on excessive optimism as a strategy, as are businesses. This not a case for pessimism. This is a case for preparation, where resilience is born.

Products on the Red Sift Platform work together to block outbound phishing attacks, analyze the security of inbound emails, and provide domain impersonation defense for company-wide threat protection.
Find out more at